From 0959f2bb54a685807217ea93b53db25a8ce9181e Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Sat, 13 Jun 2020 20:40:31 +0000 Subject: Sat Jun 13 20:40:31 UTC 2020 a/pam-1.4.0-x86_64-1.txz: Upgraded. IMPORTANT NOTE: This update removes the pam_cracklib and pam_tally2 modules. None of our current configuration files in /etc/pam.d/ use either of those, but if the configuration files on your machine do you'll need to comment out or remove those lines, otherwise you may experience login failures. a/shadow-4.8.1-x86_64-9.txz: Rebuilt. /etc/pam.d/system-auth: prefix lines that call pam_gnome_keyring.so with '-' to avoid spamming the logs about failures. a/sysvinit-scripts-2.1-noarch-32.txz: Rebuilt. rc.S: create /var/run/faillock directory for pam_faillock(8). a/util-linux-2.35.2-x86_64-2.txz: Rebuilt. /etc/pam.d/login: change the example for locking an account for too many failed login attempts to use pam_faillock instead of pam_tally2. l/imagemagick-7.0.10_19-x86_64-1.txz: Upgraded. l/libzip-1.7.1-x86_64-1.txz: Upgraded. n/openssh-8.3p1-x86_64-2.txz: Rebuilt. /etc/pam.d/sshd: change the example for locking an account for too many failed login attempts to use pam_faillock instead of pam_tally2. --- .../fedora-patches/pam-1.4.0-redhat-modules.patch | 29 ++++++++++++ source/a/pam/pam.SlackBuild | 53 +++++++++++----------- source/a/pam/patches/pam.pam_tally2.no.fsync.patch | 35 -------------- source/a/pam/patches/pam.pam_tally2.slackware.diff | 11 ----- source/a/shadow/pam.d/system-auth | 4 +- source/a/shadow/shadow.SlackBuild | 2 +- source/a/sysvinit-scripts/scripts/rc.S | 3 ++ .../a/sysvinit-scripts/sysvinit-scripts.SlackBuild | 2 +- source/a/util-linux/pam.d/login | 11 +++-- source/a/util-linux/util-linux.SlackBuild | 2 +- source/l/libzip/slack-desc | 2 +- source/n/openssh/openssh.SlackBuild | 2 +- source/n/openssh/sshd.pam | 13 ++++-- 13 files changed, 81 insertions(+), 88 deletions(-) create mode 100644 source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch delete mode 100644 source/a/pam/patches/pam.pam_tally2.no.fsync.patch delete mode 100644 source/a/pam/patches/pam.pam_tally2.slackware.diff (limited to 'source') diff --git a/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch new file mode 100644 index 000000000..fda4eca75 --- /dev/null +++ b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch @@ -0,0 +1,29 @@ +--- ./configure.ac.orig 2020-06-08 05:17:27.000000000 -0500 ++++ ./configure.ac 2020-06-13 14:11:04.857950668 -0500 +@@ -712,6 +712,7 @@ + po/Makefile.in \ + Make.xml.rules \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ +--- ./modules/Makefile.am.orig 2020-06-08 05:17:27.000000000 -0500 ++++ ./modules/Makefile.am 2020-06-13 14:12:28.614946035 -0500 +@@ -53,6 +53,8 @@ + SUBDIRS := \ + pam_access \ + $(MAYBE_PAM_CRACKLIB) \ ++ pam_chroot \ ++ pam_console \ + pam_debug \ + pam_deny \ + pam_echo \ +@@ -76,6 +78,7 @@ + $(MAYBE_PAM_NAMESPACE) \ + pam_nologin \ + pam_permit \ ++ pam_postgresok \ + pam_pwhistory \ + $(MAYBE_PAM_RHOSTS) \ + pam_rootok \ diff --git a/source/a/pam/pam.SlackBuild b/source/a/pam/pam.SlackBuild index 23aad8bc5..f5d1d3d6c 100755 --- a/source/a/pam/pam.SlackBuild +++ b/source/a/pam/pam.SlackBuild @@ -87,36 +87,35 @@ tar xvf $CWD/pam-redhat-$PAMRHVER.tar.?z || exit 1 for file in CHANGELOG COPYING README ; do mv pam-redhat-$PAMRHVER/${file}* ./${file}.pam-redhat done -mv pam-redhat-$PAMRHVER/* modules -zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1 +# Add additional PAM modules from Red Hat: +for file in pam-redhat-$PAMRHVER/* ; do + if [ ! -d modules/$(basename $file) ]; then + echo "Moving module directory $(basename $file)." + mv $file modules + else + echo "$(basename $file) already exists in modules/, not moving!" + fi +done +# NOTE: Linux-PAM-1.4.0 already ships with most of these applied: +#zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/fedora-patches/pam-1.4.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1 zcat $CWD/fedora-patches/pam-1.1.6-limits-user.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1 zcat $CWD/fedora-patches/pam-1.1.8-audit-user-mgmt.patch.gz | patch -p1 --verbose || exit 1 zcat $CWD/fedora-patches/pam-1.3.0-unix-nomsg.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1 - -# pam_tally2 removed in recent redhat-modules.patch, but we'll keep it -# for now since system-auth in the shadow package uses it. Perhaps see if -# pam_faillock can replace the usage there? -zcat $CWD/patches/pam.pam_tally2.slackware.diff.gz | patch -p1 --verbose || exit 1 - -# Upstream git patch to prevent pam_tally2 from doing an fsync() -# with every failed login. This can cause system slowdowns, especially -# on Internet-connected machines that may endure endless dictionary -# attacks. -zcat $CWD/patches/pam.pam_tally2.no.fsync.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1 +#zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1 # Improve the comments in /etc/environment: zcat $CWD/patches/pam.etc.environment.better.comments.diff.gz | patch -p1 --verbose || exit 1 diff --git a/source/a/pam/patches/pam.pam_tally2.no.fsync.patch b/source/a/pam/patches/pam.pam_tally2.no.fsync.patch deleted file mode 100644 index 15b40115d..000000000 --- a/source/a/pam/patches/pam.pam_tally2.no.fsync.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b136bff25e93be6f11de74aca03569022364b973 Mon Sep 17 00:00:00 2001 -From: "Maciej S. Szmigiero" -Date: Mon, 25 Feb 2019 20:50:48 +0100 -Subject: [PATCH] pam_tally2: Remove unnecessary fsync() - -pam_tally2 does fsync() after writing to a tally file. -This causes hard drive cache flushes on every failed SSH login on many -(if not most) filesystems. -And an internet-exposed machine can have a lot of these failed logins. - -This operation however doesn't seem to be necessary - the pam_tally2 -module does not do any operation which would need explicit post-crash -ordering, it just does simple file reads and writes. -And doing a fsync() after them doesn't close any race if the system happens -to crash between a write being posted and its fsync() completion. - -Let's remove this operation to get rid of all these extra cache flushes. ---- - modules/pam_tally2/pam_tally2.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c -index 984edf6a..ce7f5aee 100644 ---- a/modules/pam_tally2/pam_tally2.c -+++ b/modules/pam_tally2/pam_tally2.c -@@ -484,10 +484,6 @@ set_tally(pam_handle_t *pamh, uid_t uid, - } - } - -- if (fsync(*tfile)) { -- pam_syslog(pamh, LOG_ALERT, "update (fsync) failed for %s: %m", filename); -- return PAM_AUTH_ERR; -- } - return PAM_SUCCESS; - } diff --git a/source/a/pam/patches/pam.pam_tally2.slackware.diff b/source/a/pam/patches/pam.pam_tally2.slackware.diff deleted file mode 100644 index 8ab853210..000000000 --- a/source/a/pam/patches/pam.pam_tally2.slackware.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- ./modules/Makefile.am.orig 2019-07-16 13:18:28.619322386 -0500 -+++ ./modules/Makefile.am 2019-07-16 13:45:49.260371056 -0500 -@@ -10,7 +10,7 @@ - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ -- pam_succeed_if pam_time pam_timestamp \ -+ pam_succeed_if pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth index c1d77dbdc..d504e232c 100644 --- a/source/a/shadow/pam.d/system-auth +++ b/source/a/shadow/pam.d/system-auth @@ -12,7 +12,7 @@ auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so -auth optional pam_gnome_keyring.so +-auth optional pam_gnome_keyring.so ################## # Account checks # @@ -67,4 +67,4 @@ session required pam_limits.so session required pam_unix.so #session required pam_lastlog.so showfailed #session optional pam_mail.so standard -session optional pam_gnome_keyring.so auto_start +-session optional pam_gnome_keyring.so auto_start diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild index 403268789..a37b2ef3d 100755 --- a/source/a/shadow/shadow.SlackBuild +++ b/source/a/shadow/shadow.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=shadow VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-8} +BUILD=${BUILD:-9} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then diff --git a/source/a/sysvinit-scripts/scripts/rc.S b/source/a/sysvinit-scripts/scripts/rc.S index 0fecf21fe..e0188a108 100644 --- a/source/a/sysvinit-scripts/scripts/rc.S +++ b/source/a/sysvinit-scripts/scripts/rc.S @@ -420,6 +420,9 @@ touch /var/run/utmp chown root:utmp /var/run/utmp chmod 664 /var/run/utmp +# In case pam_faillock(8) is being used, create the tally directory: +mkdir -p /var/run/faillock + # Update the current kernel level in the /etc/motd (Message Of The Day) file, # if the first line of that file begins with the word 'Linux'. # You are free to modify the rest of the file as you see fit. diff --git a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild index 07249e8e8..212f78872 100755 --- a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild +++ b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=sysvinit-scripts VERSION=${VERSION:-2.1} ARCH=noarch -BUILD=${BUILD:-31} +BUILD=${BUILD:-32} # If the variable PRINT_PACKAGE_NAME is set, then this script will report what # the name of the created package would be, and then exit. This information diff --git a/source/a/util-linux/pam.d/login b/source/a/util-linux/pam.d/login index 9209ef5bf..1e965f11e 100644 --- a/source/a/util-linux/pam.d/login +++ b/source/a/util-linux/pam.d/login @@ -1,9 +1,14 @@ #%PAM-1.0 auth required pam_securetty.so -# To set a limit on failed authentications, the pam_tally2 module -# can be enabled. See pam_tally2(8) for options. -#auth required pam_tally2.so deny=4 unlock_time=1200 +# When using pam_faillock, print a message to the user if the account is +# locked. This lets the user know what is going on, but it also potentially +# gives additional information to attackers: +#auth requisite pam_faillock.so preauth auth include system-auth +# To set a limit on failed authentications, the pam_faillock module +# can be enabled. See pam_faillock(8) for more information. +#auth [default=die] pam_faillock.so authfail +#auth sufficient pam_faillock.so authsucc auth include postlogin account required pam_nologin.so account include system-auth diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild index 1467bc42e..3c33fe586 100755 --- a/source/a/util-linux/util-linux.SlackBuild +++ b/source/a/util-linux/util-linux.SlackBuild @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=util-linux VERSION=${VERSION:-$(echo util-linux*.tar.xz | cut -d - -f 3 | rev | cut -f 3- -d . | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} ADJTIMEXVERS=1.29 SETSERIALVERS=2.17 diff --git a/source/l/libzip/slack-desc b/source/l/libzip/slack-desc index e44f28641..39d3427bf 100644 --- a/source/l/libzip/slack-desc +++ b/source/l/libzip/slack-desc @@ -13,7 +13,7 @@ libzip: zip archives. Files can be added from data buffers, files, or libzip: compressed data copied directly from other zip archives. Changes libzip: made without closing the archive can be reverted. libzip: -libzip: Homepage: http://www.nih.at/libzip/ +libzip: Homepage: https://libzip.org libzip: libzip: libzip: diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild index 3c614d877..3a423c91f 100755 --- a/source/n/openssh/openssh.SlackBuild +++ b/source/n/openssh/openssh.SlackBuild @@ -30,7 +30,7 @@ PKG=$TMP/package-openssh PKGNAM=openssh VERSION=${VERSION:-$(echo openssh-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} diff --git a/source/n/openssh/sshd.pam b/source/n/openssh/sshd.pam index 570412d68..dcf1ff3fd 100644 --- a/source/n/openssh/sshd.pam +++ b/source/n/openssh/sshd.pam @@ -4,13 +4,16 @@ # need to add additional consoles to /etc/securetty if you want to allow # root logins on them, such as: ssh, pts/0, :0, etc #auth required pam_securetty.so -# To set a limit on failed authentications, the pam_tally2 module -# can be enabled. See pam_tally2(8) for options. -#auth required pam_tally2.so deny=4 unlock_time=1200 +# When using pam_faillock, print a message to the user if the account is +# locked. This lets the user know what is going on, but it also potentially +# gives additional information to attackers: +#auth requisite pam_faillock.so preauth auth include system-auth +# To set a limit on failed authentications, the pam_faillock module +# can be enabled. See pam_faillock(8) for more information. +#auth [default=die] pam_faillock.so authfail +#auth sufficient pam_faillock.so authsucc auth include postlogin -# Also uncomment this line to use pam_tally2: -#account required pam_tally2.so account required pam_nologin.so account include system-auth password include system-auth -- cgit v1.2.3